ISO IEC 29192-4 AMD 1-2016 Information technology - Security techniques - Lightweight cryptography - Part 4 Mechanisms using asymmetric techniques Amendment 1《信.pdf

1、Information technology Security techniques Lightweight cryptography Part 4: Mechanisms using asymmetric techniques AMENDMENT 1 Technologies de linformation Techniques de scurit Cryptographie pour environnements contraints Partie 4: Mcanismes bass sur les techniques asymtriques AMENDEMENT 1 INTERNATI

2、ONAL STANDARD ISO/IEC 29192-4 First edition 2013-06-01 Reference number ISO/IEC 29192-4:2013/Amd.1:2016(E) AMENDMENT 1 2016-02-15 ISO/IEC 2016 ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Published in Switzerland All rights reserved. Unless otherwise specified, no p

3、art of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member

4、body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 29192-4:2013/Amd.1:2016(E) ISO/IEC 29192-4:2013/Amd.1:2016(E) Foreword ISO (the International Org

5、anization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the r

6、espective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of infor

7、mation technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the differ

8、ent types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC sh

9、all not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document

10、 is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (T

11、BT) see the following URL: Foreword - Supplementary information The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Security techniques. ISO/IEC 2016 All rights reserved iii Information technology Security techniques Lightweight cryptography Part

12、 4: Mechanisms using asymmetric techniques AMENDMENT 1 Page v, Introduction Change the first sentence to: This part of ISO/IEC 29192 specifies four lightweight mechanisms based on asymmetric cryptography. Add the following after the third bullet: ELLI is a unilateral authentication scheme based on d

13、iscrete logarithms on elliptic curves over finite fields of characteristic two. The scheme is particularly designed with regard to use in passive RFID tags of vicinity type. NOTE ELLI has been successfully implemented on a passive RFID tag fully compliant to ISO/IEC 15693/18000- 3. Prototype tags wi

14、th practical working distance of “vicinity type” were presented at CeBIT 2008 and EuroID 2008. Add the following after the patent holder of Agency for Science, Technology and Research: Siemens Aktiengesellschaft CT IP LT M an ordinary elliptic curve E defined overF g () 2 . The elliptic curve E shal

15、l be given by its short Weierstrass equation Y 2+ XY = X 3+ aX 2+ b, with b 0 F , and shall be chosen in such a way that the following two conditions hold: #(E) = 4q 1 , with a prime q 1 ; #(E twist ) = 2q 2 , with a prime q 2 ; a point P = xy PP , on E generating a subgroup of order q 1 . NOTE 1 In

16、 this situation, the condition q 1 q 2is automatically fulfilled. This is due to the fact that #(E) and #(E twist ) are of the same order of magnitude as a consequence of the Hasse-Weil theorem (see Annex F). The size of the finite fieldF g () 2 and the parameters of the two curves E and E twistare

17、chosen in such a way that solving the elliptic curve discrete logarithm problem and solving the static Diffie-Hellman problem in both E and E twistare computationally infeasible tasks. The selected parameters shall be made available, to the necessary extent and in a reliable manner, to all entities

18、within the domain. a) Every claimant shall be equipped with a private key. b) Every claimant shall have the ability to execute the operations addition and multiplication inF g () 2 . c) Every claimant shall be able to execute the function MUL b,projintroduced in Clause 4, for the specific value b re

19、lated to the elliptic curve E. d) Every verifier shall obtain an authentic copy of the public key corresponding to the claimants private key. e) Every verifier shall be equipped with the base point P of the elliptic curve E and with the order q 1of P. f) Every verifier shall have the ability to exec

20、ute the operations addition, multiplication and division inF g () 2 . g) Every verifier shall be able to generate randomly positive integers q 1 . h) Every verifier shall be able to execute the function MUL b,affintroduced in Clause 4, for the specific value b related to the elliptic curve E. NOTE 2

21、 There are various options to provide the verifiers with trusted copies of the claimants public key. This topic is beyond the scope of this part of ISO/IEC 29192. 8.3 Key production To produce a key pair, the following two steps shall be performed. a) For claimant A an integer Q shall be uniformly a

22、nd randomly selected from the set 2, q 1 -1. The integer Q is As private key. b) As public key G(A) is MUL b,aff Q,x P , the (affine) x-coordinate of the point G = QP = xy GG , . ISO 2016 All rights reserved 5 ISO/IEC 29192-4:2013/Amd.1:2016(E) 8.4 Unilateral authentication mechanism This mechanism,

23、 which enables verifier B to authenticate claimant A, is summarized in Figure 3. In Figure 3, the bracketed letters a) to e) correspond to the steps of the mechanism, including the exchanges of information, as described in detail below. NOTE The authentication mechanism follows a “challenge-response

24、” approach. (b) Challenge d = x T (d) Response D = (X : Z ) U U (c), (d) (a), (b), (e) A B Figure 3 ELLI The following procedure shall be performed. The verifier B shall only accept the claimant A as valid if the following procedure completes successfully: a) The verifier randomly chooses a fresh nu

25、mber r with 0 r q 1and computes MUL b,aff r,x P and MUL b,aff r,G(A), i.e. the affine x-coordinatex T of the point T = rP and the affine x-coordinatex V of the point V = r(QP). The challenge d is the field element d =x T . b) The verifier sends d to the claimant. c) On receipt of the challenge d the

26、 claimant A computes D = MUL b, proj (Q,d) = XZ UU : , the projective x-coordinate of the point U = QT, consisting of two field elementsX U andZ U inF g () 2 . D = XZ UU : is the response. d) The claimant sends D to the verifier. e) On receipt of the response D, the verifier B checks ifX U =0 F orZ

27、U =0 F holds. If one of these equations holds, the claimant is considered not authentic. If X U 0 F andZ U 0 F the verifier computesxZ VU inF g () 2 and verifies whether or not the equationX U = xZ VU holds inF g () 2 . The claimant is considered authentic by the verifier if and only if the equation

28、X U = xZ VU holds.Page 14, Annex A Replace the content with the following: LightweightCryptography-4 iso(1) standard(0) lightweight-cryptography(29192) part4(4) asn1-module(0) algorithm-object-identifiers(0) DEFINITIONS := BEGIN EXPORTS ALL; OID := OBJECT IDENTIFIER - alias - Synonyms is29192-4 OID := iso(1) standard(0) lightweight-cryptography(29192) part4(4)6 ISO 2016 All rights reserved